DKIM: dkim_verify_min_keysizes option

7 files changed, 101 insertions, 6 deletions

diff --git a/test/confs/4500 b/test/confs/4500
index c7335327e..9f0829c1a 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -14,6 +14,9 @@ acl_smtp_data = check_data
 
 log_selector = +dkim_verbose
 dkim_verify_hashes = sha256 : sha512 : sha1
+.ifdef MSIZE
+dkim_verify_min_keysizes = MSIZE
+.endif
 
 queue_only
 queue_run_in_order
diff --git a/test/confs/4520 b/test/confs/4520
index 770d8cc62..1f9d75b80 100644
--- a/test/confs/4520
+++ b/test/confs/4520
@@ -15,6 +15,7 @@ acl_smtp_dkim = accept logwrite = dkim_acl: signer: $dkim_cur_signer bits: $dkim
 acl_smtp_data = accept logwrite = data acl: dkim status $dkim_verify_status
 
 dkim_verify_signers = $dkim_signers
+dkim_verify_min_keysizes = rsa=512 ed25519=250
 .ifdef FILTER
 dkim_verify_minimal = true
 .endif
diff --git a/test/log/4500 b/test/log/4500
index 7dc89c5c2..ebb3ead85 100644
--- a/test/log/4500
+++ b/test/log/4500
@@ -23,3 +23,8 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak]
 1999-03-02 09:44:33 10HmbB-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=policy (fail - hash too weak) header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbC-0005vi-00 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)]
+1999-03-02 09:44:33 10HmbC-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=fail (public key too short: 512 bits)\n		 header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4540 b/test/log/4540
index 9724325ee..4018c7fa2 100644
--- a/test/log/4540
+++ b/test/log/4540
@@ -15,3 +15,8 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=kitterman.org header.i=@kitterman.org header.s=ed25519 header.a=ed25519-sha256
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=kitterman.org id=example@example.com
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbB-0005vi-00 signer: test.ex bits: 253
+1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification failed - signature invalid (key too short)]
+1999-03-02 09:44:33 10HmbB-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=fail (public key too short: 253 bits)\n		 header.d=test.ex header.s=sed header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
diff --git a/test/scripts/4500-DKIM/4500 b/test/scripts/4500-DKIM/4500
index 3999d4988..81fa577d9 100644
--- a/test/scripts/4500-DKIM/4500
+++ b/test/scripts/4500-DKIM/4500
@@ -1,6 +1,6 @@
 # DKIM verify, simple canonicalisation
 #
-exim -DSERVER=server -bd -oX PORT_D
+exim -DSERVER=server -DMSIZE='rsa=512 ed25519=250' -bd -oX PORT_D
 ****
 #
 # This should pass.
@@ -138,7 +138,7 @@ QUIT
 killdaemon
 #
 # A verifier that refuses sha1
-exim -DSERVER=server -DOPTION -bd -oX PORT_D
+exim -DSERVER=server -DOPTION -DMSIZE='rsa=512 ed25519c=32' -bd -oX PORT_D
 ****
 #
 # This should fail despite being a passing submission above (with the unlimited verifier).
@@ -174,5 +174,45 @@ QUIT
 ****
 killdaemon
 #
+#
+#
+#
+#
+#
+# With the default keysize minima, a 512b key should fail
+exim -DSERVER=server -bd -oX PORT_D
+****
+#  - sha1, 512b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --method=simple/simple --selector=ses \
+#			--keyfile=aux-fixed/dkim/dkim512.private < aux-fixed/4500.msg1.txt
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=test.ex; h=from:to
+	:date:message-id:subject; s=ses; bh=OB9dZVu7+5/ufs3TH9leIcEpXSo=; b=
+	cIErF1eueIT9AU4qG54FyT3yrlVDDM7RZnuU6fWTevZpAuMqhYcRO8tU3U4vtKWB
+	+I2vd+F1gzqCzBcRtfLhZg==
+From: mrgus@text.ex
+To: bakawolf@yahoo.com
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@disco-zombie.net>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
 no_stdout_check
 no_msglog_check
diff --git a/test/scripts/4540-DKIM-Ed25519/4540 b/test/scripts/4540-DKIM-Ed25519/4540
index 22558dfa7..317385041 100644
--- a/test/scripts/4540-DKIM-Ed25519/4540
+++ b/test/scripts/4540-DKIM-Ed25519/4540
@@ -112,5 +112,46 @@ QUIT
 ****
 #
 killdaemon
+#
+#
+#
+#
+# This should fail because the signing pubkey is too small.
+exim -DSERVER=server -DMSIZE='rsa=1024 ed25519=300' -bd -oX PORT_D
+****
+#
+# Duplicate test input to the first one, above.
+#
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=test.ex
+	; s=sed; h=From:To:Subject; bh=/Ab0giHZitYQbDhFszoqQRUkgqueaX9zatJttIU/plc=;
+	 b=5fhyD3EILDrnL4DnkD4hDaeis7+GSzL9GMHrhIDZJjuJ00WD5iI8SQ1q9rDfzFL/Kdw0VIyB4R
+	Dq0a4H6HI+Bw==;
+Received: from jgh by myhost.test.ex with local (Exim x.yz)
+	envelope-from <jgh@myhost.test.ex>)
+	 1dtXln-0000YP-Hb
+	 a@test.ex; Sun, 17 Sep 2017 12:29:51 +0100
+From: nobody@example.com
+Message-Id: <E1dtXln-0000YP-Hb@myhost.test.ex>
+Sender: CALLER_NAME <jgh@myhost.test.ex>
+Date: Sun, 17 Sep 2017 12:29:51 +0100
+
+content
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
 no_stdout_check
 no_msglog_check
diff --git a/test/stderr/4507 b/test/stderr/4507
index 1c45d0955..492b2ddf2 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -9,22 +9,22 @@
 >>> host in helo_try_verify_hosts? no (option unset)
 >>> host in helo_accept_junk_hosts? no (option unset)
 >>> xxx in helo_lookup_domains? no (end of list)
->>> processing "accept" (TESTSUITE/test-config 44)
+>>> processing "accept" (TESTSUITE/test-config 47)
 >>> accept: condition test succeeded in inline ACL
 >>> end of inline ACL: ACCEPT
 >>> host in ignore_fromline_hosts? no (option unset)
 >>> using ACL "check_dkim"
->>> processing "warn" (TESTSUITE/test-config 35)
+>>> processing "warn" (TESTSUITE/test-config 38)
 >>> check logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
 >>>                = signer: test.ex bits: 1024
 LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024
 >>> warn: condition test succeeded in ACL "check_dkim"
->>> processing "accept" (TESTSUITE/test-config 38)
+>>> processing "accept" (TESTSUITE/test-config 41)
 >>> accept: condition test succeeded in ACL "check_dkim"
 >>> end of ACL "check_dkim": ACCEPT
 LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 >>> using ACL "check_data"
->>> processing "accept" (TESTSUITE/test-config 42)
+>>> processing "accept" (TESTSUITE/test-config 45)
 >>> check logwrite = ${authresults {$primary_hostname}}
 >>>                = Authentication-Results: myhost.test.ex;
 >>> 	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1